Banking Regulator Issues New Phishing Alert

A federal banking regulatory agency has issued a warning about a new phishing campaign that aims to con consumers into disclosing personal and financial details by feigning to be a request from the regulator.

Experts say these types of attacks are getting more sophisticated, and that continuous, proactive monitoring of spam email is a necessity to identify targeted campaigns quickly (see Spear Phishing: A Bigger Concern in 2015).

NCUA says the phishing emails originate from what appears to be a legitimate website managed by the National Credit Union, an Australian financial services company that claims to offer products and services to consumers in the U.S., Europe and the Commonwealth of Independent States.

"This website is not affiliated in any way with the National Credit Union Administration, a federal agency, and the emails are not from NCUA," the NCUA notes in its alert. "The emails attempt to persuade individuals to provide personal information, such as Social Security numbers, account numbers and login information, or transfer large amounts of money. Consumers should neither provide information to this website nor attempt to conduct any financial transactions through it."

As of March 19, the National Credit Union website had been deactivated.

The NCUA points out that it would never request consumers submit personal or account information through an emailed solicitation.

"NCUA is working with the appropriate federal agencies on this matter," writes NCUA spokesman John Fairbanks in a March 18 email to Information Security Media Group. "To date, we are not aware of any financial losses or loss of personal information as a result of this phishing operation."

Prevention Difficult

Rob Sadowski, director of technology solutions for security firm RSA, says it's difficult for government agencies to prevent their brands from being used in phishing campaigns. "Their brands stand for what the phishers are relying on to get consumers to click on these malicious emails: Trust in the sender," he says.

Phishers are getting better at copying specific formatting or graphics used by agencies, Sadowski adds.

Although monitoring spam email by agencies can help prevent phishing that capitalizes on their brands, "there will always be that attack that gets through and that will be identified by the consumer first," says Daniel Cohen, who heads up the anti-fraud services group at RSA. "That said, having the necessary remediation capability in place can provide for quick takedown of the attack and rapid investigation into its sources."

Another key step for agencies, Cohen says, is to work with Internet service providers and law enforcement to have the websites that send phishing emails shut down.

But John Wilson, field chief technology officer for online security firm Agari, says the only way to truly block phishing messages is by deploying the DMARC (Domain-based Message Authentication, Reporting and Conformance) standard. DMARC can help organizations authenticate the source of e-mails and block spam.

"This standard, which is supported by Google, Microsoft, Yahoo, AOL, Comcast and others, allows domain owners to control the use of their domains in email," Wilson says. "Without DMARC, anyone can send an email using the bank's email domain."

Case of Mistaken Identity

In its warning about this most recent scam, the NCUA advises consumers who have received a phishing email to contact the NCUA's fraud hotline and the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.

Phishing attacks that exploit the brands of federal banking regulators are not new. In late 2011, the Federal Deposit Insurance Corp., which also is a part of the FFIEC, warned consumers of a similar type of attack (see Phishing Targets FDIC).

Financial fraud expert Al Pascual, a director at Javelin Strategy & Research, says campaigns that exploit regulatory agencies are often less effective than phishing attacks that feign to be from specific banks or credit unions.

"I doubt most consumers recognize the NCUA brand - even the FDIC may be a bit of a stretch to call a 'household name,' he says.

Pascual advises regulators to "be on the lookout for phishing scams directed at the institutions under their supervision, as these scams would have the potential to cause far greater financial and reputational damage."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;